PHP Integer-Overflow Vulnerability

vendor:

PHP

by:

SecurityFocus

7.5

CVSS

HIGH

Integer-Overflow

190

CWE

Product Name: PHP

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2005

PHP Integer-Overflow Vulnerability

PHP is prone to an integer-overflow vulnerability because the application fails to do proper bounds checking on user-supplied data. An attacker can exploit this vulnerability to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause denial-of-service conditions.

Mitigation:

Ensure that proper bounds checking is done on user-supplied data.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/20349/info

PHP is prone to an integer-overflow vulnerability because the application fails to do proper bounds checking on user-supplied data.

An attacker can exploit this vulnerability to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause denial-of-service conditions.

<?

 print_r(unserialize('a:1073741823:{i:0;s:30:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"}'));
?>

in function zend_hash_init() int overflow ( ecalloc() )-> heap overflow
here segfault in zend_hash_find() but it's possible to fake the bucket and
exploit a zend_hash_del_index_or_key
i tried a memory dump , just fake the bucked with the pointer of the
$GLOBALS's bucket but segfault before in memory_shutdown...